Posts for the month of May 2009

OpenID and delegation

Between stackoverflow and LeoCAD's Trac, I finally have a reason to deal with OpenID. One of the touted advantages of OpenID is that "you may already have one" since a number of widely used services double as an OpenID provider. The problem with this is your identity for arbitrary websites is then tied to flickr, or AOL, or whatever OpenID provider you happen to choose. Your identity across the web is then dependent on the continued existence of and support from that organization. I don't want to lose access to my stackoverflow account if flickr goes out of business, for instance.

There is a solution: delegation.

Delegation uses the content of a URL to find another OpenID that is trusted to vouch for that URL. So you can specify a URL on your own website which you control, but delegate the actual authentication to an arbitrary OpenID provider. And you can change that provider without losing your identity on other sites.

The URL on your site must have the appropriate content to indicate the delegation. Enter an OpenID (such as on and it will give you the html required to delegate to that OpenID. Put that html in a page on your website, and use the address as your OpenID. You can partially test it using, but the actual login step on that site doesn't work with a delegated OpenID.

Of course, as I was setting this up, I ran into a couple of technical difficulties. In particular, I wanted to use as my OpenID. But I'm running Trac on the root of my site, so access to that URL will yield a "No handler matched request" error from Trac. The solution is to specify a more specific <Location> in the Apache config. I looked for some kind of "filesystem" handler to specify for that, but the needed handler is none. For my case I needed:

<Location /openid>
  SetHandler none

The next complication is my use of a self-signed SSL cert and forcing all accesses to https. I had to exclude the /openid URL from rewriting to https like this:

  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteCond %{REQUEST_URI} !=/openid/
  RewriteCond %{REQUEST_URI} !=/openid
  RewriteRule ^/(.*)$ https://%{SERVER_NAME}/$1 [R,L]

This sends users to https unless they are trying to access the OpenID.

So now I have an OpenID that has some future-proofing: I am not tied to my current choice of OpenID provider, and there's always the option of running my own at some point in the future.